[Snort-users] Alerts were Generated on my Snort IDS box for the Heartbleed Vulnerability

Teo En Ming teo.en.ming at ...11827...
Sun Apr 13 15:10:06 EDT 2014


Hi,

I went to the following mcafee.com site to check my website for the
heartbleed vulnerability.

http://tif.mcafee.com/heartbleedtest

Snort rules which detect the heartbleed vulnerability were fired. These
snort rules come from the Snort community rules which I added a short while
ago.

The Snort alerts which are generated for the heartbleed vulnerability are
as follows:

04/14-02:54:29.148070  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 161.69.31.4:50847 -> 192.168.1.146:443
04/14-02:54:29.148663  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
heartbeat response - possible ssl heartbleed attempt [**] [Classification:
Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443 ->
161.69.31.4:50847
04/14-02:54:29.354600  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 161.69.31.4:50847 -> 192.168.1.146:443
04/14-02:54:29.354600  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 161.69.31.4:50847 -> 192.168.1.146:443

What are the remedial steps to fix the heartbleed vulnerability on my web
server?

Thank you very much.

Teo En Ming
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140414/cf56ac75/attachment.html>


More information about the Snort-users mailing list